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CYBER ATTACK: IS THE NATION AT RISK? 


WEDNESDAY, JUNE 24, 1998 

' U.S. Senate, 

Committee on Governmental Affairs, 

Washington, DC. 

The Committee met, pursuant to notice, at 10:05 a.m., in room 
SD-342, Dirksen Senate Office Building, Hon. Fred Thompson, 
Chairman of the Committee, presiding. 

Present: Senators Thompson and Lieberman. 

OPENING STATEMENT OF CHAIRMAN THOMPSON 

Chairman Thompson. The Committee will come to order, please. 
I welcome our witnesses this morning. 

The Governmental Affairs Committee today is holding its second 
in a series of hearings on the security of Federal computer systems. 
Anyone who thinks that that is a dull subject will, I think, quickly 
be disabused of that notion. In fact, I think they probably already 
have if they have listened to some of the hearings that we and 
other committees have already had. 

Today's hearing will focus on the intelligence community's as¬ 
sessment of the threats to our Nation's information systems. Dur¬ 
ing our hearing last month, we heard that the foundation of our 
Nation’s information infrastructure is riddled with security vul¬ 
nerabilities and flaws. 

The LOpht hacker think tank, which testified at our earlier hear¬ 
ing, stated that they “could very trivially make the Internet unus¬ 
able for the entire Nation.” This has serious implications when con¬ 
sidering how dependent our society has become on the Internet. 
LOpht also testified that, given enough resources, a small group of 
skilled hackers could wreak havoc on our country—ranging from 
shutting down communications systems and utilities to causing un¬ 
stable financial markets. 

Dr. Neumann, a renowned computer security expert who also 
testified, agreed with this, stating that “massive coordinated at¬ 
tacks on our infrastructure are possible; however, it may take a 
Chernobyl-scale event to raise awareness levels adequately, per¬ 
haps bringing several of the national infrastructures to their knees 
simultaneously.” 

We cannot wait for such an electronic Pearl Harbor or Oklahoma 
City to recognize that there is a serious problem. At risk are the 
systems that control national security, air traffic, finances, power, 
and communications. To date, the mainstream media has focused 
on unsophisticated hacking of governmental systems. That does not 
accurately represent the seriousness of the threat. 

(1) 
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We often read about the hackers that have been caught, but 
what about the sophisticated hackers who are not detected, who 
are not caught? What gives me great concern is that we simply do 
not know what we do not know. According to a 1996 estimate by 
the Defense Information System Agency, as many as 250,000 at¬ 
tacks occurred on defense systems in 1995. How many of these 
were actually detected? How many of the perpetrators were 
caught? How many viruses were left behind? How much critical 
data was compromised? Unfortunately, we simply cannot answer 
those questions. 

Of course, this is not the major problem. We see that we increas¬ 
ingly have concerns about being targeted by other nations and 
other groups. As the American way of life becomes increasingly de¬ 
pendent on computer systems and the uninterrupted flow of infor¬ 
mation, the use of information technologies as a tool of warfare and 
terror become increasingly likely. Instead of confronting us head to 
head on the traditional battlefield where they would undoubtedly 
lose, adversaries will confront the United States at its point of least 
resistance—and that is our information infrastructure. Cyberspace 
is the battlefield of tomorrow. 

This is well understood by our potential adversaries, whether it 
be other nations or terrorists, drug cartels, or organized crime 
groups. They can reach deep into our homeland from the sanctity 
of theirs. This is not just a theory. We know for a fact that terror¬ 
ists and organized crime groups are developing information warfare 
systems. A recent Newsweek article claims that there are about ten 
countries, in addition to China and Russia, with information war¬ 
fare programs. Among these countries are Libya, Iraq, and Iran, 
and, of course, they are not friends of the United States, and all 
of them sponsor anti-American terrorists. 

I do not believe that this is a futuristic threat, as some portray 
it. The threat is real, it is serious, and it is here today. Cyber 
weapons are being developed, countries are incorporating strategies 
into their doctrine, our computer systems are being probed to iden¬ 
tify vulnerabilities, and our defenses are weak. 

I believe that protecting our Nation against cyber attack rep¬ 
resents one of the greatest challenges that we have faced as a 
country. We must act now to develop the policies, plans, programs, 
and strategies to deter this threat. 

Today, we will hear from the leaders of our intelligence commu¬ 
nity, the Hon. George Tenet, Director of the Central Intelligence 
Agency, and Lieutenant General Ken Minihan, Director of the Na¬ 
tional Security Agency. Mr. Tenet will provide an assessment on 
the threats to our information infrastructure and what is being 
done to address these threats. General Minihan will testify on the 
findings from the military exercise called “Eligible Receiver,” which 
identified serious vulnerabilities of our Nation’s computer system. 
Senator Lieberman. 

OPENING STATEMENT OF SENATOR LIEBERMAN 

Senator Lieberman. Thank you, Mr. Chairman. Once again, let 
me thank you for holding this hearing and let me join you in wel¬ 
coming Mr. Tenet and General Minihan. 
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Mr. Chairman, I am struck, as I was at our May hearing on com¬ 
puter security, by the enormity of the problem that we are discuss¬ 
ing today. The scope of the threat that we are facing, which is to 
say the ability of foreign governments or non-governmental hostile 
groups, such as terrorists, to effectively shut down our economy 
and to hamper our military’s ability to operate effectively is obvi¬ 
ously worrisome and profoundly unsettling. 

We are all accustomed to thinking of computers as a great bene¬ 
fit, and they usually are. They give us instant access to all sorts 
of information at any time of day or night. They make our trains 
and planes run effectively and smoothly. They operate our power 
systems. They have made it so that I, for instance, am able throug’h 
E-mail to stay as closely in touch with one of my children who is 
in school in England as my parents were able to with me when I 
was in college just a couple of towns away from them—and may I 
add, I do so at less cost than they did. 

Computers, in short, particularly the interconnection of computer 
networks through the Internet, have revolutionized our lives, al¬ 
most always for the better. But as this Committee’s examination of 
this problem is showing, with the computer information age revolu¬ 
tion has come a new kind of dependency and, therefore, a new form 
of vulnerability. Unfortunately, we have been slower to appreciate 
the risks of the computer revolution than we have been to take ad¬ 
vantage of its benefits. 

As our witnesses will expkiU to us today, our critical infrastruc¬ 
tures—banking, financial, communications, transportation, secu¬ 
rity—are all dependent on computer systems and, therefore, are 
vulnerable. And each of these computer systems can be hacked into 
and disrupted. 

If we were dealing only with a group of young hackers, that 
would be troubling enough. But as we will hear today, we face 
much more sophisticated and ominous and hostile threats than a 
bunch of teenagers engaged in a New Age rite of passage. A num¬ 
ber of terrorists groups and nations are adding cyber warfare weap¬ 
ons to their arsenals. They are developing the ability to hack into 
computer systems, and once in them, to. disrupt or even shut down 
parts of our economy to affect significantly our military’s ability to 
do its job. 

In fact, as one of our witnesses may indicate today, some experts 
predict that this t3npe of information warfare can be as effective at 
immobilizing our defenses as some of the conventional weapons or 
weapons of mass destruction that we are focused on. 

T^is, naturally, worries all of us. It should worry all of us. Of 
course, it should also propel us to work together to build a system 
of defenses to this new high-tech threat to our national security. 

So, Mr. Chairman, I truly appreciate your holding these hear¬ 
ings. They are critically important. I thank you for illuminating 
what might be described as the down side of our entrance into 
cyberspace and the information age. I look forward to hearing from 
our distinguished witnesses today, and most importantly, I look 
forward to working with them and you and others in the Congress 
to develop methods for better protecting ourselves from the threat 
of IW, of information warfare. Thank you. 

Chairman THOMPSON. Thank you very much. 
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Mr. Tenet. 

TESTIMONY OF THE HON. GEORGE J. TENET, DIRECTOR OF 
CENTRAL INTELLIGENCE 

Mr. Tenet. Thank you, Mr. Chairman. Just like the proliferation 
of weapons of mass destruction, international terrorism, and drug 
trafficking, information warfare has the potential to deal a crip¬ 
pling blow to our national security if we ao not take strong meas¬ 
ures to counter it. 

Consider, for example, the Washington Post report early this year 
that 11 U.S. military systems were subjected to an electronic as¬ 
sault. The perpetrators were not initially known because they hid 
their tracks by routing their attack through the United Arab Emir¬ 
ates computer systems. While no classified systems were pene¬ 
trated and no classified records were accessed, logistics, adminis¬ 
tration, and accounting systems were accessed. These systems are 
the central core of data necessary to manage our military forces 
and deploy them to the field. In the end, we found two young hack¬ 
ers from California had perpetrated the attacks via the Unitec^ 
Arab Emirates under the direction of a teenage hacker from Israel. 

This should not surprise us. As you mentioned, Mr. Chairman, 
a recent DoD study said that DoD systems were attacked a quarter 
of a million times in 1995. As a test, the Defense Department orga¬ 
nization that same year conducted 38,000 attacks of their own. 
They were successful 65 percent of the time, and 63 percent of the 
attacks went completely undetected. 

We have spent years making systems interoperable, easy to ac¬ 
cess, and easy to use, yet we still rely on the same methods of secu¬ 
rity that we did when data systems consisted of large mainframe 
computers housed in closed rooms with limited physical access. By 
doing so, we are building an information infrastructure, the most 
complex the world has ever known, on a very insecure foundation. 
We have ignored the need to build trust into our own systems. Sim¬ 
ply hoping that someday, we can add the needed security before it 
is too mte is not a strategy. 

In this hearing today, Mr. Chairman, I hope to leave you with 
three key points. First, I want you to take away an appreciation 
for the growing seriousness and significance of the emerging threat 
to our information systems. 

Second, I want to emphasize the need to evaluate the threat from 
the perspective of both State and non-State actors. Proliferation of 
malicious capabilities exist at every level. 

And finally, I want to provide you with an appreciation for what 
the intelligence community is doing to combat the problem. On this 
last point, let me assure you that our engagement in infrastructure 
protection extends not just to efforts within the intelligence com¬ 
munity, but to participation with all other stakeholders in our Na¬ 
tion’s infrastructure systems, across government agencies, in aca¬ 
demia and the private sector. 

As this Committee well understands, we have staked our way of 
life on the use of information. We rely more and more on computer 
networks for the flow of essential information. Like electricity, we 
now take information infrastructures for granted. Reliability breeds 
dependence and dependence breeds vulnerabilities. Today, as a re- 
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suit of the dramatic growth of and dependency on new ii^ormation 
technologies, our infrastructures have become increasingly auto¬ 
mated and interlinked. 

Disruptions in information based on technologies can range from 
being a serious nuisance, as we saw just weeks ago when the loss 
of a single satellite caused a nationwide halt in electronic pager 
systems, to the potentially disastrous. Consider what such a dis¬ 
ruption would have caused to Operation Desert Storm, where our 
information systems had to accommodate a communications volume 
of 100,000 electronic messages and 700,000 telephone calls a day. 
Seven years later, those figures would be far greater and our reli¬ 
ance on computers is much greater, as well. 

It is in this context that we must appreciate that future enemies, 
whether nations, groups, or individuals, may seek to harm us in 
nontraditional ways. Nontraditional attacks against our informa¬ 
tion infrastructures could significantly harm both our military 
power and our economy. 

Who would consider attacking our Nation’s computer systems? 
Yesterday, you received a classified briefing answering this ques¬ 
tion in some detail, Mr. Chairman. I can tell you in this forum that 
potential attackers range from national intelligence and military 
organizations, terrorists, criminals, industrial competitors, hackers, 
and disgruntled or disloyal insiders. Each of these adversaries is 
motivated by different objectives and constrained by different levels 
of resources, technical expertise, access to a target, and risk toler¬ 
ance. 

Why would we be attacked? There are plenty of incentives—tril¬ 
lions of dollars in financial transactions in commerce moving over 
a medium with minimal protection and sporadic law enforcement, 
increasing quantities of intellectual property residing on network 
systems, and the opportunity to disrupt military effectiveness and 
public safety with the elements of surprise and anonjroity. The 
stakes are enormous. Protecting our critical information infrastruc¬ 
ture is an issue that we should all be deeply troubled about. 

As I recently testified before the Senate Intelligence Committee 
in January, we have identified several countries that have govern¬ 
ment-sponsored information warfare programs. Foreign nations 
have begun to include information warfare in their military doc¬ 
trine as well as their war college curricula with respect to both de¬ 
fensive and offensive applications. It is clear that nations develop¬ 
ing these programs recognize the value of attacking a country’s 
computer systems, both on the battlefield and in the civilian arena. 

The magnitude of the threat from various forms of intrusion, 
tampering, and delivery of malicious code is extraordinary. We 
know with specificity of several nations that are working on devel¬ 
oping an information warfare capability. In light of the sophistica¬ 
tion of many other countries in programming and Internet usage, 
the threat has to be viewed as a factor requiring considerable at¬ 
tention by every agency of government. 

Many of the countries whose information warfare efforts we fol¬ 
low realize that in a conventional military confrontation against 
the United States, they cannot prevail. These countries recognize 
that cyber attacks, possibly launched from outside the United 
States against civilian computer systems in the United States rep- 
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resent the kind of asymmetric option they will need to level the 
pl^ng field during an armed crisis against the United States. 

Just as foreign governments and the military services have long 
emphasized the need to disrupt the flow of information in combat 
situations, they now stress the power of information warfare when 
targeted against civilian information infrastructures. The three fol¬ 
lowing statements, all from high-level foreign defense or military 
officims, illustrate the power and the import of information warfare 
in the decades ahead. 

For example, in an interview late last year, a senior Russian offi¬ 
cial commented that an attack against a national target, such as 
transportation or electrical power distribution, would, ‘%y virtue of 
its catastrophic consequences, completely overlap with the use of 
weapons of mass destruction.” 

An article in China’s People Liberation Daily stated that, *‘An ad¬ 
versary wishing to destroy the United States only has to mess up 
the computer systems of its banks by high-tech means. This would 
disrupt and destroy the U.S. economy. If we overlook this point and 
simply rely on the building of a costly standing army, it is just as 
good as building a contemporary Mamnot Line.’^ 

A defense publication from yet a third country stated that “infor¬ 
mation warfare will be the most vital component of future wars 
and disputes,” The author predicted bloodless conflict since, “infor¬ 
mation warfare alone may decide the outcome.” 

As these anecdotes clearly demonstrate, the battle space of the 
information age will surely extend toward domestic infrastructure. 
Our electric power grids and our telecommunications networks will 
be targets of the first order. An adversary capable of implanting 
the right virus or accessing the right terminal can cause massive 
damage. 

Information warfare is not just about offensive capability, how¬ 
ever, but about defensive readiness, as well. This fact has not been 
lost on others. Many nations, several of which are potential adver¬ 
saries, are reviewing their own growing dependence on information 
systems, both for military and civil activities. They are searching 
out their vulnerabilities and developing approaches to protect 
themselves. We must do the same. If not, we could soon find our¬ 
selves at a significant disadvantage in addressing what may be the 
key security challenge of the next decade and beyond. 

Next, Mr. Chairman, I want to examine the degree to which this 
threat has proliferated beyond traditional nation states to become 
the potential weapon of choice for less structured adversaries. Ter¬ 
rorists and non-State actors are beginning to recognize that infor¬ 
mation warfare offers them new, lost-cost, and easily-hidden tools 
to support their causes. They, too, will see the United States as a 
potentially lucrative target. These people will be very difficult for 
the United States to trace in cyberspace. 

Terrorists, while unlikely to mount an attack on the same scale 
as a nation, can still do considerable harm. What is worse, the 
technology of hacking has advanced to the point that many of the 
tools which required in-depth knowledge a few years ago have be¬ 
come automated and more user friendly. It may even be possible 
for terrorists to use amateur hackers as their unwitting accom¬ 
plices in a cyber attack. Cyber attacks offer terrorists the possibil- 
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ity of greater security and operational flexibility. Theoretically, 
they can launch a computer assault from almost an 3 nvhere in the 
world without directly exposing the attacker to physical harm. 

Terrorists are not bound by traditional norms of political behav¬ 
ior between states. While a foreign state may hesitate to launch a 
cyber attack against the United States due to fear of retaliation or 
negative political consequences, terrorists often seek the attention 
and the increasing fear that would be generated by such a cyber 
attack. 

Established terrorist groups are likely to view attacks against in¬ 
formation systems as a means of striking at government, commer¬ 
cial, and industrial targets with little risk of being caught. Global 
proliferation of computer technology and the open availability of 
computer tools that can be used to attack other computers make 
it possible for terrorist groups to develop this capability without 
great difficulty. 

Terrorists and extremists already are using the Internet and 
even their own web pages to communicate, raise funds, recruit, and 
gather intelligence. They also will use it to launch attacks against 
their adversaries. They may even launch attacks remotely from 
countries where their actions are not illegal or with whom we have 
no extradition agreements. Let me give you a few examples of what 
I am talking about. 

The ^oup calling themselves the Internet Black Tigers took re¬ 
sponsibility for attacks last Au^st on the E-mail systems of Sri 
Lankan diplomatic posts around the world, including those in the 
United States. Italian sympathizers of the Mexican Zapatista 
rebels crashed web pages belonging to Mexican financial institu¬ 
tions. While such attacks did not result in damage to the targets, 
they were portrayed as successful by the terrorists and used to gen¬ 
erate propaganda and rally supporters. 

Mr. Chairman, as terrorists and other adversaries well know, our 
society is based on the free flow of information. That concept is 
clearly embodied in the Constitution. It forms the foundation of our 
freedoms and of our productivity. Consequently, our systems are 
built to facilitate access and openness and they must remain so 
within the reasonable bounds of security. It is just that openness, 
however, that makes our system so vulnerable. 

So how will we detect an attack in this world of vast 
interconnectivity? It will not be easy. In the first place, those who 
would attack us generally are tough intelligence targets. Second, 
they will use cheap, easily available technology and techniques. 
Patterns will be difficult to spot. 

Furthermore, intrusion detection technology is still in its infancy 
and the systems we will need to observe are very diverse. When 
attacks are detected, the source of the attack will be disguised. 
Moreover, after trouble is detected, it takes time for an analyst to 
determine whether the problem took hold by accident or by desi^. 
Unless we have intelligence indications dealing with someone’s in¬ 
tention to attack, such as through a human source, tactical warn¬ 
ing will be very, very difficult to attain. 

However, by combining the efforts of government and industry, 
we will be able to pool our strengths and share the necessary infor¬ 
mation to allow a reasonable defense. By sharing the research and 
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development burden between public and private sectors, we each 
will be better able to take advantage of the other’s expertise. This 
is one of the advantages of connectivity. 

In my written statement, Mr. Chairman, I have described nu¬ 
merous initiatives and working groups in which the intelligence 
community is involved to better handle the information warfare 
threat. These range from our national intelligence estimate devoted 
to this topic to establishing new units within the community to 
focus on tnis problem full time. Further, as you can see from the 
written statement, we have made great strides in our cooperative 
efforts with the Departments of Defense and Justice to overcome 
cross-agency challenges that the information age creates. 

Since those efforts are laid out in the written statement, I would 
like to return to a theme raised earlier in my remarks and tell you 
more about what I mean. Having created our information systems 
on a foundation that lacks ademiate security, we have to focus on 
building trust into our systems. What do I mean? 

It is more than just security. Security is concerned with locks 
and fences and guards. Trust is the belief that the security works. 
Security involves more than just encryption. It is also about au¬ 
thentication and digital signatures and data integrity. Trust is 
about key management, digital certificates, and policies, such as 
what your privileges are and what you are authorized to do with 
your digital signatures. Making our systems secure and trust¬ 
worthy, while not an intelligence community issue per se, is the ul¬ 
timate solution to the threat of information warfare. 

I know, Mr. Chairman, that you plan to have a hearing later on 
about how we do the protection side of the business. I would say 
to you that it is very clear that we have shared vulnerabilities be¬ 
tween the private sector and the government and what we do not 
have today is a system of trust that ensures both the privacy of the 
information we seek to pass and the ability to protect that informa¬ 
tion. 

We have had an enormous debate in this country about en- 
cr3T3tion. Encryption is not the issue. The issue is, is there a sys¬ 
tem in place that allows us to authenticate you as the user? Is 
there a system in place that allows us to understand whether you 
have the responsibility or the right to transfer the information that 
you have transferred? Is there a system in place that allows you 
to verify that the data that you have transferred has not been ma¬ 
nipulated? 

There is no such system in place and the private sector and the 
government have a responsibility to work towards this. If such a 
system was in place, if we could protect the integrity of the data 
and its authentication, we would deny our adversaries many of the 
tools that they are using today against our information systems, 
and this is an important point that you have to understand while 
we talk to you about the threat. 

Finally, Mr. Chairman, let me say that the concerns that-Jive 
raise today, although not yet on the front burner, are urgent. In 
fact, the approach of the year 2000 makes our work all the more 
critical. It is generally understood that the year 2000 problem 
poses inherent risks to our system, but it is less understood that 
the year 2000 also affords special opportunities for our adversaries. 
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For example, our dependence on foreign software development is 
a source of concern. It is possible foreign actors with hostile intent 
may try to exploit the year 2000 problem for their own ends. As 
we come upon that date, we have to do more than just ensure that 
our systems function on January 1, 2000, that they function and 
that they are, indeed, secure. 

These are all enormous challenges, Mr. Chairman, and I think 
we have raised a number of issues that we will want to talk about 
and I thank you for the time and attention you have devoted to 
this issue. 

[The prepared statement of Mr. Tenet follows:] 

PREPARED STATEMENT OF MR. TENET 

Mr. Chairman, distinguished Members of this Committee, it is a pleasure for me 
to come here today to discuss with you a very serious threat to our national secu¬ 
rity—the vulnerability of our critical information infrastructure to a potentially dev¬ 
astating high tech attack. 

Just like the proliferation of Weapons of Mass Destruction, international terror¬ 
ism, and drug trafficking, information warfare has the potential to deal a crippling 
blow to our natipnal security if we do not take strong measures to counter it. 

Consider for example the Washington Post report early this vear that eleven U.S. 
military systems were subjected to an “electronic assault.” The perpetrators were 
not initially known because they hid their tracks by routing their attack through 
the United Arab Emirates computer systems. While no classified systems were pen¬ 
etrated and no classified records were accessed, logistics, administration and ac¬ 
counting systems were accessed. These are the central core of data necessary to 
manage our military forces and deploy them to the field. In the end, we found two 
young hackers from California had perpetrated the attacks via the United Arab 
Emirates under the direction of a teenage hacker from Israel. 

This should not surprise us. A recent DoD study said that DoD systems were at¬ 
tacked a quarter of a million times in 1995. As a test, a Defense Department organi¬ 
zation that same year conducted 38,000 attacks of their own. They were successful 
65 percent of the time. And 63 percent of the attacks went completely undetected. 

We have spent years making systems interoperable, easy to access, and easy to 
use. Yet we still rely on the same methods of security that we did when data sys¬ 
tems consisted of large mainframe computers, housed in closed rooms with limited 
physical access. By doing so, we are building an information infrastructure—the 
most complex the world nas ever known—on an insecure foundation. We have ig¬ 
nored the need to build trust into our systems. However, simply-hoping that some¬ 
day we can add the needed security before it’s too late is not a strategy. 

In this hearing today, Mr. Chairman, I hope to leave you with three key points. 
First, I want you to take away an appreciation for the growing seriousness and sig¬ 
nificance of the emerging threat to our information systems. Second, I want to em¬ 
phasize the need to evaluate the threat from the perspective of both State and non- 
State actors—i)roliferation of malicious capabilities exists at every level. And finally, 

I want to provide you with an appreciation for what the Intelligence Community is 
doing to combat the problem. On this last point, let me assure you that our engage¬ 
ment in infrastructure protection extends not just to efforts within the intelligence 
community but to participation with all the other stakeholders in our Nation’s infra¬ 
structure systems—across government agencies, in academia and in the private sec¬ 
tor. 

Growing Dependence on Information Systems 
As this Committee well understands, we have staked our way of life on the use 
of information. We rely more AQd more on computer networks for the flow of essen¬ 
tial information. Like electricity, we now take information infrastructures for pant¬ 
ed. Reliability breeds dependence—and dependence produces vulnerabilities. 'Today, 
as a result of the dramatic growth of and dependency on new information tech¬ 
nologies, our infrastructures have become increasingly automated and inter-linked. 
Disruptions in information—based technologies can range from being a serious nui¬ 
sance—as we saw just weeks ago when the Toss of a single satellite caused a nation¬ 
wide halt in' electronic pager systems—to potentially disastrous. Consider what such 
a disruption would have caused in Operation Desert Storm, where our information 
systems had to accommodate a communications volume of 100,000 electronic mes- 
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sages and 700.000 telephone calls a day. Seven years later, those figures would be 
far grater and our reliance on computers is much cheater as well. 

It is in this context that we must appreciate that future enemies, whether na¬ 
tions, CToups, or individuals, may seek to harm us in non-traditional ways. Non-tra- 
ditionm attacks against our information infrastructures could significantly harm 
both our militap^ power and our economy. 

Who would consider attacking our Nation’s computer systems? Yesterday, you re¬ 
ceived a classified briefing answering this question in some detail. I can tell you in 
this forum that potential attackers range from national intelligence and military or¬ 
ganizations, terrorists, criminals, industrial competitors, hackers, and disgruntled or 
disloyal insiders. Each of these adversaries is motivated by different objectives and 
constrained by different levels of resources, technical expertise, access to target, and 
risk tolerance. 

And why would we be attacked? There are plenty of incentives: 

• Trillions of dollars in financial transactions and commerce moving over a me¬ 
dium with minimal protection and sporadic law enforcement; 

• Increasing quantities of intellectual property residing on networked systems; 

• And the opportunity to disrupt military effectiveness and public safety, with 
the elements of surprise and anonymity. 

The stakes are enormous. Protecting our critical information infrastructure is an 
issue that I am deeply concerned about and requires attention from us all. 

Threats from Foreign States 

As I recently testified before the SSCI in January, we have identified several 
countries that have government-sponsored information warfare programs. Foreign 
nations have begun to include information warfare in their military doctrine as well 
as their war college curricula with respect to both offensive and defensive applica¬ 
tions. It is clear that nations developing these programs recognize the value of at¬ 
tacking a country’s computer systems—both on the battlefield and in the civilian 
arena. 

The magnitude of the threat from various forms of intrusion, tampering, and de¬ 
livery of malicious code is extraordinary. We know with specificity of several nations 
that are working on developing an information warfare capability. In light of the 
sophistication of many other countries in programming and Internet usage, the 
threat has to be viewed as a factor requiring considerable attention 1^ every agency 
of government. Many of the countries whose information warfare efforts we follow 
realize that in a conventional military confrontation against the United States, they 
cannot prevail. These countries recognize that cyber attacks—possibly launched 
from outside the United States—against civilian computer systems in the United 
States—represent the kind of asymmetric option they will neea to “level the playing 
field” during an armed crisis against the United States. 

Just as foreign governments and their military services have long emphasized the 
need to disrupt the flow of information in combat situations, they now stress the 
power of “Information Warfare (IW)” when targeted against civilian information in¬ 
frastructures. The three following statements, all from high-level foreign defense or 
military officials, illustrate the power and the import of information warfare in the 
decades ahead. 

• For example, in an interview late last year, a senior Russian official com¬ 
mented that an attack against a national target such as transportation or 
electrical power distribution would—and I quote—“. . . bv virtue of its cata¬ 
strophic consequences, completely overlap with the use of (weapons) of mass 
destruction.” 

• An article in China’s “People’s Liberation Daily” stated that—and I quote— 
“an adversary wishing to destroy the United States only has to mess up the 
computer systems of its banks by hi-tech means. This would disrupt and de¬ 
stroy the United States economy. If we overlook this point and simply rely 
on the building of a costly standing army ... it is just as good as building 
a contemporary Maginot Line.” 

• A defense publication from yet a third country stated that “Information War¬ 
fare will be the most vital con^nent of future wars and disputes.” The au¬ 
thor predicted “bloodless” conflict since, and I quote, “information warfare 
alone may decide the outcome.” 

As these anecdotes clearly demonstrate, the battle-space of the information age 
will surely extend to our domestic infrastructure. Our electric power grids and our 
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telecommunications networks will be targets of the first order. An adversary capable 
of implanting the right virus or accessing the right terminal can cause massive dam¬ 
age. 

Information warfare is not just about offensive capability, however, but about de¬ 
fensive readiness as well. This fact has not been lost on others. Many nations—sev¬ 
eral of which are potential adversaries—are reviewing their own growing depend¬ 
ence on information systems, both for military and civil activities. They are search¬ 
ing out their vulnerabilites and developing approaches to protect themselves. We 
must do the same. If not, we could soon find ourselves at a significant disadvantage 
in addressing what may be the key security challenge of the next decade. 

Next—I want to examine the degree to which this threat has proliferated beyond 
traditional nation states to become the potential weapon of choice for less structured 
adversaries. 

Terrorist Use of Information Warfare Tactics 

Terrorists and other non-state actors are begir ning to recognize that Information 
Warfare offers them new, k w cost, easily hidden tools to support their causes. They 
too will see the United States as a potentially lucrative target. These people will 
be very difficult for the United States to trace in cyberspace. 

Terrorists, while unlikely to mount an attack on the same scale as a nation, can 
still do considerable harm. What’s worse, the technology of hacking has advanced 
to the point that many tools which required in-depth knowledge a few years ago 
have become automated and more “user-friendly.” It may even be possible for terror¬ 
ists to use amateur hackers as their unwitting accomplices in a cyber attack. 

Cyber attacks offer terrorists the possibility of greater security and operational 
flexibility. Theoretically, they can launch a computer assault from almost anywhere 
in the world, without airectly exposing the attacker to physical harm. Terrorists are 
not bound by traditional norms of political behavior between states. While a foreign 
state may hesitate to launch a cyber attack against the United States due to fear 
of retaliation or negative political effects, terrorists often seek the attention—and 
' the increase in fear—that would be generated by such a cyber attack. 

Established terrorist groups are likely to view attacks against information sys¬ 
tems as a means of striking at government, commercial, and industrial targets with 
little risk of being caught. Global proliferation of computer technology and the open 
availability of computer tools that can be used to attack other computers make it 
possible for terrorist groups to develop this capability without great difficulty. 

Terrorists and extremists already are using the Internet and even their own web 
pages to communicate, raise funds, recruit and gather intelligence. They also will 
use it to launch attacks against their adversaries. They may even launch attacks 
remotely from countries where their actions are not illegal or with whom we have 
no extradition agreements. 

• Let me give you a few examples of what I am talking about. A group calling 
themselves the Internet Black Tigers took responsibility for attacks last Au¬ 
gust on the E-mail systems of Sri Lankan diplomatic posts around the world, 
including those in the United States. Italian sympathizers of the Mexican 
Zapatista rebels crashed web pages belonging to Mexican financial institu¬ 
tions. While such attacks did not result in damage to the targets, they were 
portrayed as successful by the terrorists and used to generate propaganda 
and rally supporters. 

Detecting Information Operations Attacks Launched Against the United States 
Mr. Chairman, as terrorists and other adversaries well know, our society is based 
on the free flow of information. That concept is clearly embodied in the Constitution. 
It forms the foundation of our freedoms and of our productivity. Consequently, our 
systems are built to facilitate access and openness and they must remain so within 
the reasonable bounds of security. It is just that openness, however, that makes our 
systems so vulnerable. 

So how will we detect an attack in this world of vast inter-connectivity? It will 
not be easy. In the first place, those who would attack us, generally, are tough intel¬ 
ligence targets. Second, they will use cheap, easily available technology and tech¬ 
niques. Patterns will be difficult to spot. Furthermore, intrusion detection tech¬ 
nology is still in its infancy and the systems we will need to observe are very di¬ 
verse. When attacks are detected, the source of the attack will be disguised. More¬ 
over, after trouble is detected, it takes time for an analyst to determine whether 
the problem took hold by accident or by design. Unless we have intelligence indica¬ 
tions dealing with someone’s intention to attack, such as through a human source, 
tactical warning will be very difficult to attain. 
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However, by combining the efforts of government and industry, we will be able 
to pool our strengths and share the necessary information to allow a reasonable de¬ 
fense. Furthermore, by sharing the research and development burden between the 
public and private sectors, we each will be better able to take advantage of the oth¬ 
er’s expertise. That is one of the advantages of connectivity. 

The Intelligence Community Response 

Protecting our s3rstems will require an unprecedented level of cooperation across 
government agencies and with the private sector. That co^ration already has 
begun. I view the report of the President’s Commission on Critical Infrastructure 
Protection as a defining moment in identifying vulnerabilities in our 9information 
infrastructure, in assessing the potential threat to our national security, and in es¬ 
tablishing the requirement as well as the momentum for a coordinated effort on in¬ 
formation operations. The intelligence community engaged actively in the prepara¬ 
tion of that report as well as in publishing the National Intelligence Estimate on 
Foreign Threats that served as the companion piece to the Commission’s report. In 
producing the NIE, the intelligence community enjoyed extensive interaction with 
representatives from law enforcement and DoD information security agencies to as¬ 
sess the threat to our computer networks. 

These two documents—the NIE and the Commission report—have provided the 
impetus for significant activity in both the public and private sector to combat the 
threat to our computer systems. The attention directed to the threat to our informa¬ 
tion security systems also resulted in the stand-up of dedicated activities within 
CIA, DIA, and NSA. CIA also appointed an Information Warfare Issue Manager, 
whose responsibility is to focus collection and all-source analysis on the IW threat 
and to provide an IW center of excellence within the Agency. 

As a community, we have also been active participants, together with other infor¬ 
mation operations stakeholders, in the NSC-Chaired Interagency Working Group 
that proauced the Presidential Directive titled “Critical Infrastructure Protection” 
and we are now active in the NSC Critical Infrastructure Coordinating Group 
tasked to implement that directive. Each of these efforts has had a cumulative effect 
in building tne critical mass that will be required to deal with the threat to our in¬ 
formation infrastructure. The Commission report, the NIE, and the recent Presi¬ 
dential Directive will provide the public and private sector with a clear blueprint 
as to the direction we are taking. 

Our very considerable efforts with the Department of Defense have produced orga¬ 
nizational, policy and capability improvements and efficiencies for use in informa¬ 
tion operations. We recently established a senior-level forum to address Information 
Operations policy and process issues, responding to long-standing congressional in¬ 
terest in the development of just such a policy body. We also created, one year ago, 
the Information Operations Technology Center at Fort Meade, Maryland. The lOTC 
is another of our joint DoD and Intelligence Community activities, providing advice 
and developing techniques that can protect United States infrastructure and sys¬ 
tems. 

• We have also actively participated in DoD War Games like the Evident Sur¬ 
prise series established by U.S. Atlantic Command and incorporated the 
threats posed by information warfare into an increased number of other exer¬ 
cises. After my testimony, you will hear from General Minihan, Director, Na¬ 
tional Security Agency, about the U.S. Government’s cyberwar exercise, “Eli¬ 
gible Receiver.” Eligible Receiver was an information war wake-up call of the 
highest order. It highlighted in very clear terms the importance of today’s 
hearing and the work that still lies ahead. 

Finally, we must recognize that law enforcement and the private sector are essen¬ 
tial parts of our response to this emerging threat. Our Intelligence Communit/s in¬ 
formation warfare efforts include support to the Department of Justice’s National 
Infrastructure Protection Center wnich was commissioned in response to rec¬ 
ommendations of the President’s Commission and the joint efforts of the NSC Inter¬ 
agency Working Group on Critical Infrastructure. We are very much engaged in pro¬ 
viding technical, analytic and management personnel to the Center as well as need¬ 
ed intelligence support. The NIPC will provide the very critical bridge between gov¬ 
ernment and the private sector. As you know, the private sector is being “hit” every 
day by hackers. We need to do more to inspire the confidence to work together and 
to share information with industry to learn more about these attacks, to discover 
whether they emanate from foreim sources and to become partners in developing 
the technology required to deflect future attacks. 
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The Challenge to Act 

Mr. Chairman, the concerns we raise today—although not yet on the front burner 
in the minds of many Americans—are, in fact urgent. We have to focus on this 
threat now. 

In fact, the approach of the year 2000 makes our work all the more critical. It 
is generally understood that the ‘Tear 2000 Problem” poses inherent risks to our 
systems, but it is less understood that the Year 2000 also affords special opportuni¬ 
ties for our adversaries. For example, our dependence on foreign software develop¬ 
ment is a cause for concern. It is possible foreign actors with hostile intent may try 
to exploit the Year 2000 Problem for their own ends. As we come upon that date, 
we have to do more than just ensure that our systems function on January 1, 2000, 
but that they function and that they are secure. 

These are enormous challenges. As we all recognize. Information Warfare defies 
conventional and even many unconventional intelligence methods. Intelligence dis¬ 
ciplines traditionally have focused on physical indicators of activity and on mecha¬ 
nized, industrially-based systems. With the advert of Information Operations, we 
are faced with the need to function in the medium of “cyberspace” where we will 
conduct our business in new and challenging ways. 

4t the end of the day, the Intelligence Community must be positioned to provide 
warning of cyber-threats. This warning must go to national leaders and the military 
of course. But we also must develop ways and means to warn the private sector and 
the leaders of our economy. 

However, our efforts must extend beyond warning. As a nation, we will need to 
detect attack, withstand assault if launched successfully against us, and then ag¬ 
gressively prosecute action against the attackers. The Intelligence Community can¬ 
not do all this alone, nor can the Department of Defense, nor can the Department 
of Justice or private industry. In this new world of cyber-threats, we will need to 
work together in partnerships unlike any in our history. 

Mr. Chairman, we have made a solid beginning, but we have a long way to go. 

I appreciate your efforts to bring this vital issue before the public and for your inter¬ 
est in our work in the Intelligence Community. Protecting our infrastructure is a 
topic which will only grow in importance as we enter the 21st century. It concerns 
all of us. I look forward to working with you in the future as we build on the foun¬ 
dations we are laying today. 

Chairman Thompson. Thank you very much. 

Lieutenant General Minihan. 

TESTIMONY OF LIEUTENANT GENERAL KENNETH A. MINIHAN, 
DIRECTOR, NATIONAL SECURITY AGENCY 

General Minihan. Sir, thanks for inviting me here this morning. 

I was asked to talk about Eligible Receiver and I would like to nest 
my discussion about Eligible Receiver and characterize it perhaps 
as a wake-up call in the context of some of the valuable lessons 
learned which we took out of Eligible Receiver. 

As the Mr. Tenet has mentioned to you, generally speaking, the 
network is an open party line, and I will mention to you several 
times that what we are really concerned about is the content in the 
network, not just the network and its security, and that is why the 
security services that the Director discussed are important. 

Having said that, you would expect Defense to test the security 
services in that network, and that is what Eligible Receiver is all 
about. We understand that our vulnerabilities have begun to shift 
from the industrial base or the force structure, which we normally 
talk about, to our information infrastructure, and the vulner¬ 
abilities that are there are shared among government, commercial 
industry, and in many cases, our allies. 

So in the information age, our society is becoming increasingly 
knowledge-centric and it is that content that is becoming vulner¬ 
able to exploitation. It is the content in the network which actually 
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makes it interesting to conduct the kinds of operations both of you 
mentioned in your opening comments. 

Our network connectivity is continuing to expand exponentially, 
so as our reliance in these systems grows as a Nation, we are actu¬ 
ally increasingly dependent on the information technologies to keep 
our economy competitive, our government both effective and effi¬ 
cient, the defense system at work, and our citizens safe and secure. 

Now, while these advantages of electronic commerce are growing, 
our technical ability to network has outpaced our ability to protect 
those networks. Thus, we present our adversaries with an oppor¬ 
tunity to gain access to our national security interests. The United 
States no longer has the traditional sanctuary of a geographically- 
based industrial base to protect. It also must protect its geopolitical 
and its global information infrastructure. 

So there are no borders in cyberspace and attacks against our 
networks can come from virtually any point in the globe. Like in 
real estate, it is location, in this business, it is access, and v/here 
the access occurs is where your vulnerability is, so a very complex 
set of matrices are occurring. 

Now, the resources at risk include not only the information 
stored on the network, but that information which is traversing the 
network, but also all of the components of our national infrastruc¬ 
ture that depend on that information technology and the timely 
availability of that from an accuracy perspective. 

So as noted last fall by the President’s Commission on Critical 
Infrastructure Protection, these include telecommunications infra¬ 
structure itself, our banking and financial institutions, the North 
American power grid, other energy systems, such as oil and gas 
pipelines and transportation networks, water distribution, and of¬ 
tentimes we talk of it in segments, like banking, like transpor¬ 
tation, but quite frankly, they are all technically all networked to¬ 
gether and so they all have shared vulnerabilities, police, fire, res¬ 
cue, and government operations at all levels. 

So as the complexity increases, the issue of interconnectivity and 
the resultant critical vulnerabilities, as well as deficiencies in our 
own ability to respond effectively during these kind of exploi¬ 
tations, were really demonstrated in the no-notice exercise called 
Eligible Receiver 97, which was conducted in June of last year. 

Eligible Receiver 97 was the first large-scale exercise designed to 
test DoD’s ability to work with other branches of the government 
to respond to an attack on the national information infrastructure. 
In Eligible Receiver 97, information technology knowledgeable peo¬ 
ple, using open source information and operating consistent with 
the statutes and regulations of the Nation, successfully penetrated 
DoD’s networks, impacting upon DoD’s ability to respond with the 
use of military force. 

Eligible Receiver showed what could be done against segments of 
the defense information infrastructure and the national informa¬ 
tion infrastructure with publicly available tools. Eligible Receiver 
97 did not constitute a full-scale,^ state-of-the-art information oper¬ 
ations or information warfare campaign. A sophisticated adversary 
could develop and use more advanced tools and dedicate greater re¬ 
sources and time to support his campaign. In short, our adversaries 
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will have opportunities and advantages that were not available to 
Eligible Receiver as the red team. 

The last thought I would like to share with you is that our 
vulnerabilities provide our adversaries with what you refer to as a 
window of opportunity for an electronic Pearl Harbor, and I think 
that is a correct characterization and Eligible Receiver is the wake- 
up call for that concern. I think it is important to see the threat 
in two contexts. 

First, the unstructured threat is the random and relatively lim¬ 
ited hacking which you have heard about. It consists of adversaries 
with limited funds and organization and short-term goals. In some 
cases, they want publicity. While it poses an important threat to 
system operations, national security is not necessarily targeted or 
threatened. This is the most obvious threat which we see today. 
This threat comes from both foreign and domestic groups, as the 
DCI has mentioned, and individuals with a range of motives and 
targets around the Nation—military, banks, public switch network, 
universities, and corporations. These tactical-level attacks occur 
every day and will continue. 

But this unstructured threat is really providing the tip of the ice¬ 
berg for what we should really be concerned about, and that is the 
kind of activity that we would describe as a structured threat. It 
goes beyond the hacker, but the hacking activity is hiding the more 
sophisticated set of operations. 

At the other end of the spectrum is the structured threat. It is 
considerably more methodical. It is well supported. These adversar¬ 
ies have all sorts of intelligence support, extensive funding, orga¬ 
nized professional support, and long-term goals. For national secu¬ 
rity purposes, we are concerned primarily with the structured 
threat, since that threatens our system’s survival, while we pay 
close attention to the other instances which you have referred to 
in your opening statements. 

The information age may require us to expand our traditional 
concept of what we think of as weapons of mass destruction. Infor¬ 
mation attacks, when conducted at the strategic level, have the po¬ 
tential to be devastating and the price of admission is considerably 
less. 

If you think about the development of nuclear weapons, they re¬ 
quire knowledge plus extensive resourcing and funding and very 
difficult and hard-to-get materials. Biological weapons also require 
specialized knowledge, but are less expensive and the materials are 
more easily obtainable. Information attacks require knowledge and 
even less funding. 

So those fewer dollars actually allow our adversaries to have a 
greater substantial impact, as 3 m\metric to their own force struc¬ 
ture, as they look to disrupt or influence U.S. civil or military ac¬ 
tivities through the manipulation of our information networks 
without necessarily directly confronting conventional U.S. military 
power. This will become an increasingly attractive option for them 
as we enter the 21st century, and we perhaps ought to consider 
adding information infrastructure threats to our definition of weap¬ 
ons of mass destruction. 

Now, lastly, I would just like to share that we are well into the 
era of conflict in the information age. This is not view graph engi- 
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neerinff. Unstructured attacks are occurring against our networks 
every d^, but unfortunately, most of them are not detected and re¬ 
ported. Consequently, we have no indication of how many attacks 
are actually occurring and where those attacks are taking place. 
We face increasing numbers of more sophisticated adversaries if we 
do not focus on the water beneath the tip of the iceberg. 

Peace, as we have traditionally known it in the industrial era, 
will not exist in the information age of the 21st century. Like our 
body’s immune system, which is constantly under attack, so, too, 
will our information technology infrastructure be under constant 
attack. We will need the equivalent of a robust immune system to 
provide security services that the Director has mentioned to protect 
our vital organs so that we can eiyoy the benefits of the informa¬ 
tion age in the 21st century. 

Sir, I look forward to answering some of your questions this 
morning. 

[The prepared statement of Lt. General Minihan follows:] 

PREPARED STATEMENT OF LIEUTENANT GENERAL MINIHAN 
Introduction 

Mr. Chairman and distinguished Members of the Committee, I am pleased to pro¬ 
vide testimony on the broad array of threats users of networked information sys¬ 
tems face today from exploitation of their vulnerabilities by a wide array of mali¬ 
cious actors—including hackers, terrorists, and nation states. 

The world of the 21st century will look significantly different from that of today. 
Post-Cold War Russia continues to pose a threat to U.S. national security interests, 
albeit in new and different ways. Cnina, too, remains a power to be reckoned with. 
But at the threshold of the 21st century, the true threats to U.S. interests no longer 
reside exclusively in individual geopolitical entities. As a direct result of the diffu¬ 
sion of power following the end of tne Cold War, threats to U.S. security today look 
very different from those of only a few years ago. 

With the dissolution of the Cold War bi-polar power structure, the world’s atten¬ 
tion has focused on ethnic disputes, the reigniting of tribal wars, and transnational 
actors. Our policymakers, diplomats, and military forces face more regional conflicts, 
more peacekeeping operations, and more operations-other-than-war than ever be¬ 
fore. unprecedented transnational security challenges confront the Nation in the 
form of terrorism, drugs, and international organized crime. U.S. policymakers and 
law enforcement officials must decide how to confront terrorists, narco-traffickers, 
and international organized crime cartels that threaten to disrupt the fragile, 
emerging new world order. These opportunists, enabled by the explosion of tech- 
nolo^ and the availability of inexpensive, secure means of communication, pose a 
significant threat to the interests ot the United States and its allies. 

As was graphically demonstrated by the Department of Defense’s (DoD)’s experi¬ 
ence in Exercise Eligible Receiver 97, and more recently with the high-profile com¬ 
puter intrusions dubbed Solar Sunrise, we face increasing risks to U.S. interests in 
cyberspace. United States dependence on, and worldwide connectivity through, this 
relatively new medium increase our exposure to traditional adversaries and a grow¬ 
ing body of new ones, many of whom are fast developing their capabilities to exploit 
and disrupt networked information systems. The ability of adversary groups ana na¬ 
tion states to disrupt or influence U.S. civil and military activities througn manipu¬ 
lation of our information networks, vithout having to confront directly traditional 
U.S. military power, will become an increasingly attractive option for them as we 
enter the 21st century. 

As a Nation, we are increasingly dependent on information technologies to keep 
our economy competitive, our government both effective and efficient, our defenses 
at the ready, and our citizens safe and secure. Unfortunately, these same informa¬ 
tion technologies bring with them a host of exploitable vulnerabilities. Today’s 
internetworked, interdependent information systems allow us to do things not 
dreamt of 20 years ago, out they also give rise to new threats to our national secu¬ 
rity, public safety, and personal privacy. The United States no longer has its tradi¬ 
tional, geographically-based strategic sanctuary. 

Our connectivity to and through cyberspace increases our exposure to traditional 
adversaries and a growing body of new ones. Anyone with a computer, modem, and 
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telephone line can m^e use of a burgeoning array of network sniffers, malicious 
sonrware, and sophisticated information attacK tools to disrupt network operations. 
Information attacks can supplement or replace traditional military attaclm, greatly 
complicating and expanding the vulnerabilities we must anticipate and counter. The 
resources at risk include not only information stored on or traversing cyberspace, 
but all of the components of our national infrastructure ^at depend on information 
technology and the timely availability of accurate data. As noted last fall by the 
Presidents Commission on Critical Infrastructure Protection, these include the tele¬ 
communications infrastructure itself; our banking and financial systems; the North 
American power CTid; other ener^ systems, such as oil and gas pipelines; our trans¬ 
portation networks; water distribution systems; medical and health care systems; 
e mergency services, such as police, fire, and rescue; and government operations at 
all levels. 

Indeed, the capability of the DoD to carry out its integrated mission of 
warfighting and peacekeeping is highly dependent upon the interconnected set of in¬ 
formation systems and networks we call the Defense Information Infrastructure 
(DII), which in turn is dependent upon the U.S. network backbone known as the 
National Information Infrastructure (Nil). In today’s environment of sophisticated 
weaponry and rapid, global force projection, the ability to provide accurate informa¬ 
tion when needed is vital to all aspects of DoD operations. Cyberspace thus serves 
as an essential national security enabler, but presents us with a critical vulner¬ 
ability as well. 

This issue of interconnectivity and the resultant critical vulnerabilities as well as 
deficiencies in our ability to respond effectively during such an attack was dem¬ 
onstrated in a no-notice exercise Eligible Receiver 97 (ER97) which was conducted 
in June of last year. The Eligible Iteceiver series of exercises are directed by the 
Chairman of the Joint Chiefs of Staff and are designed to test DoD planning and 
crisis action capabilities. ER97 was the first large scale exercise designed to test 
DoD’s ability to work with other branches of the government to respond to an attack 
on the national information infrastructure. 

This exercise clearly demonstrated that 10 is a real threat to our Nation and that 
it can be a dangerous one. New methods for exploiting vulnerabilities are being de¬ 
veloped by the hacker community with increasing frequency. These tools are widely 
disseminated and are publicized in open public forums. 

The DII information assurance challenges faced by the DoD are shared by the 
civil and commercial sectors of the U.S. economy. In a very large measure, the DoD 
is dependent upon our national infrastructure and the services it provides. Informa¬ 
tion must be authentic, accurate, private, and available when needed. Our informa¬ 
tion infrastructure must be resistant to cyber attack across the full range of threats 
from hackers to nation states, and must limit damage and recover rapidly when at¬ 
tack occurs. This requires a “defense in depth’’ strategy, one which makes it very 
difficult to penetrate the Nil, but also deals effectively with penetrations that occur. 
Moreover, the highly interconnected nature of the Nil requires that assurance 
measures be applied coherently—the assurance of the entire Nil is dependent upon 
the assurance of all of its individual elements. 

Information System Threats Today 

Threat refers to the intentions and capabilities of adversaries to exploit or attack 
information systems. Capability includes not only access to the appropriate tech¬ 
nologies and information, but also trained personnel and adequate fuhding. It is in¬ 
tention that transforms potential threat into active threat. As Exercise Eligible Re¬ 
ceiver 97 graphically demonstrated, a moderately sophisticated adversary can cause 
considerable damage with fewer than thirty people and a nominal amount of money 
if the systems they are attacking are not adequately protected and defended. 

A strategic-level threat is technologically feasible today. The advent of computer 
bulletin boards and newsgroups has led to the wide and rapid dissemination of at- 
tack/hacker tools and techniques. The development of automated hacker tools makes 
it easier for less-skilled individuals or groups to inflict more damage. In addition, 
we have, little capability today to provide effective Indications and Warning (I&W) 
of a pending information attack. During the Cold War, the United States developed 
robust systems to preclude surprise from nuclear and conventional threats. Unlike 
those areas, a campaign of information attack has few unique observables. 

We distinguish two fundamental types of threat. The unstructured threat is ran¬ 
dom and relatively limited. It consists of adversaries with limited funds and organi¬ 
zation and short-term goals. Whi e it poses a threat to system operations, national 
security is not targeted. This is the most obvious threat today. The structured threat 
is considerably more methodical and well-supported. While the unstructured threat 
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is the most obvious threat today, for national security purposes we are concerned 
primarily with the structured threat, since that poses the most significant risk. 

Hackers have been attacking systems quite successfully for a long time. This 
threat comes from both foreign and domestic groups and individuals with a range 
of motives. Targets induce government, milita^, banks, the Public Switched Net¬ 
work, universities, corporations, and research institutions. These tactical-level at¬ 
tacks occur every day. DoD’s experience in February of this year with the attacks 
on its unclassified systems, dubbed Solar Sunrise, was a classic example of this form 
of attack. The attackers used tools and techniques readily available on Internet 
hacker bulletin boards. Although these attacks were moderately disruptive, the good 
news is that the vulnerabilities exploited are relatively easily fixed. For this level 
of attack, both technology and procedural solutions are available today. 

The structured threat is considerably more methodical and well-supported. These 
adversaries have all-source intelligence support, extensive funding, organized profes¬ 
sional support, and long-term goals. For national security purposes we are con¬ 
cerned jprimarily with the structured threat, since that threatens system survival. 

The Gulf War served to alert many countries to the value of targeting information 
systems. They keenly follow U.S. discussions and activities in the realm of Informa¬ 
tion Operations/Information Assurance. The Chinese present a good example of the 
structured threat. In 1995 the Chinese military openly acknowedged that attacks 
against financial systems could be a useful asymmetrical weapon. By 1997 the Chi¬ 
nese military had incorporated computer warfare into an exercise scenario. 

We are well into conflict in the information age. We have failed to adequately 
comprehend this, for a variety of reasons. We do not have a clear or complete under¬ 
standing of the threat to our information systems. Unstructured attacks are occur¬ 
ring against our networks every day, but unfortunately, most are not even detected. 
Of those that are detected, even fewer are reported. We are only seeing the tip of 
the iceberg. Even when attacks are detected and reported, we rarely know who the 
attacker was. Traceback mechanisms are not fully developed or deployed. This re¬ 
fers to both legal procedures and electronic technology. Conseq^uently we have no in¬ 
dication how many of the attacks we experience may actually be structured attacks. 
Nonetheless, it is clear from the information we have, that we face increasing num¬ 
bers of more sophisticated adversaries. At the same time, the development of auto¬ 
mated attacks tools has made it easier for less-skilled intruders to do more damage. 

Information Assurance—A National Strategy for Information Protection 
“Defense in depth” requires that we not only “harden” the protection of informa¬ 
tion systems, but also conduct an “active defense” of those systems. Such a defense 
requires that we have the best possible intelligence on the capabilities and inten¬ 
tions of potential attackers, the ability to use that knowledge to deter attacks when¬ 
ever possible, and the tools and techniques necessary to detect and respond to at¬ 
tacks that do occur—whether by random hackers or by a hostile nation state. In 
concert with our partners in DoD, the Department of Justice and the Intelligence 
Community, NSA is aggressively developing a concept of operation for intrusion de¬ 
tection and response, and the tools and techniques required for time sensitive analy¬ 
sis and reporting. As was vividly demonstrated during Solar Sunrise, analysis and 
response to such intrusions requires the effective use of experts in a variety of eso¬ 
teric disciplines; a cadre of experts that will have to be expanded dramatically as 
the challenges to our information systems’ security increase over time. 

We must all begin to face the challenges inherent in protecting and preserving 
the Nil. The President’s recent Directive on Critical Infrastructure Protection (PDD 
63) points the way. Many of the solutions being developed for the DII will be useful 
in protecting and defending other Federal systems, and wilLhave direct application 
to the Nil. PDD 63 calls for the government to lead the Nation by example in the 

E ractice of infrastructure protection, and by extension, information assurance. The 
leputy Secretary of Defense has publicly stated that the DoD will lead by example 
within the Federal sector. NSA is widely recognized as one of our country’s pre¬ 
eminent expert resources for dealing with the information assurance problem. NSA 
will continue to contribute all it can to make information assurance for the DII and 
the Nil a reality. 

Chairman Thompson. Thank you very much, General Minihan. 
There is an old custom in politics. When a guy is about the fifth 
or sixth speaker at an event, he gets up and says everything has 
been said but not everybody has said it and so he wants to say it, 
too. Well, a lot of these things have been said, but now the top guys 
are saying it, and I think that is the importance of today, ^^en 
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the head of the CIA and the NSA come in and use terms such as 
urgent and use the Pearl Harbor analogy and so forth, I think that 
speaks for itself. 

I want to commend both of you for taking it upon yourself to 
in ^d try to heighten our awareness and the awareness of 
the American people aoout this problem. I know it is the nature 
of both of your organizations not to be veiy public about very many 
things, but you embraced this opportunity, and I must say, you 
were very, very frank in laying out the nature of this problem. I 
think it shows a certain amount of confidence that you are on top 
of it and you are doing something about it. 

I Imow that the President issued a directive on this last month, 
and it looks as if a lot of serious attention is being given to it. I 
think that that is commendable. We maybe should have gotten 
onto it a little earlier, but I think we are onto it now. 

Just in summary, the nature of the problem affects both the pri¬ 
vate sector and our military. Our military is vulnerable from the 
standpoint not only of people being able to get into systems to gath¬ 
er important information, but from a standpoint of potentially 
shutting down our defense information systems at an important 
time. The threats come from all different kinds of groups—from 
major powers to perhaps lesser countries to rogue groups to orga¬ 
nized crime. 

Eligible Receiver showed that a handful of people can wreak 
major havoc. You demonstrated a vulnerability and you have been 
willing to go public and point out to the American people what our 
vulnerability is. 

I think we are continuing to learn that every coin does have two 
sides. When you are talking about the interconnectivity of the 
world economy—where we like to compete for those exports—our 
technology serve us well, but when Asia sneezes now, we some¬ 
times catch a cold or maybe worse. The same thing is true as far 
as the information world that we are living in. 

We are interconnected not only commercially and not only mili¬ 
tarily, but the private sector and the military are interconnected. 
It is too expensive to build a contained military system where no¬ 
body can break into it, so we have to depend on commercial sys¬ 
tems, and we have to be connected. 

You point out that our challenge can come from abroad and it 
can go through several different sources and be difficult to trace 
back. This situation where you thought we were under attack dur¬ 
ing a recent Iraqi crisis turned out to be two college kids in Califor¬ 
nia and one in Israel. They ran us through several different termi¬ 
nal points here. One was from College Station to Hansard, which 
is, as I said, probably the first time College Station and Harvard 

ever had any communications-[Laughter.] 

And to the United Arab Emirates and all the way back again. As 
I understand, you had to go in and get search warrants at several 
different places in order to track down these individuals, which is 
another problem. 

So with very little sophistication, an awful lot can be done to 
damage us, and underljung all of that is the year 2000 problem, 
which just exacerbates evei^hing else. It is a tremendous problem 
in and of itself, but when you combine it with computer security. 
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it is going to make us even more vulnerable, especially in the short 
run. 

I just want to start out by thanking you and the administration 
for being willing to have you lay out for the American people the 
very, very serious nature of this relationship and the challenges 
that lie ahead. 

I think Mr. Tenet’s most direct comments had to do with the 
need to work with industry and what he describes as not really an 
encryption problem. There will be a lot of debate as to the nature 
of encryption, but you have an industry that is used to disseminat¬ 
ing information. You point out that you need to protect informa¬ 
tion. You have a situation where companies do not want the gov¬ 
ernment coming in and saying, we think we have a problem, open 
up your records. So you have a search warrant problem in a place 
where it takes an instant to transfer information around the world. 
The challenges lie before us and are going to be tremendous. 

Let me ask you to focus in on the year 2000 problem for just a 
moment. There are various aspects of this, as we said. The nature 
of the year 2000 problem in and of itself is one of them. Are there 
dangers with regard to critical systems that have military signifi¬ 
cance, such as nuclear power plants, weapons systems, and so 
forth, where we are hearing about troubles in some countries, that 
still have nuclear capabilities? Is there a national security military 
relevance to this year 2000 computer problem? 

General Minihan. Sir, there is no question that there is a na¬ 
tional security relevance. I would like to put it in a couple or three 
shades. 

First, your awareness exceeds by a wide margin most leader¬ 
ship’s awareness outside the United States. So with the exception 
of a few countries, America is aware and aware at leadership levels 
significantly beyond any other countries we see. As a result, there 
is just now an emerging sense of the problems. 

Second, there is this sense that, well, the Americans will just 
issue some software and it will be fixed, so they do not have a 
sense of the complexity, either. That results in the phenomena you 
are talking about, where you then begin to worry about the soft¬ 
ware integration of indication and warning systems for nuclear pre¬ 
pared countries, what are their scopes going to look like. You have 
seen some instances in the past when the scopes do not work cor¬ 
rectly for other reasons, it is confusing and you lose the kind of 
confidence that you have. 

Chairman THOMPSON. You are talking about scopes. What are 
you referring to? 

General Minihan. When you are looking at the situational 
awareness of what is occurring in the world that you would worry 
about being attacked, and if that scope were displaying inconsist¬ 
encies with your sense of safety, you might think you were being 
attacked when, in fact, your software was not acting correctly. So 
it is a very complex problem to think your way through and they 
are not nearly at the point that we are in doing it. So we both have 
the problem- 

Chairman Thompson. But their problem becomes our problem, 
does it not? 
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General Minihan. It becomes our problem. So you have, I have 
seen any number of our leadership now as they travel begin to 
have exchanges with their counterparts. Are you thinking about 
Y2K? Have you understood? We are seeing some nice exchanges 
occur and awareness is growing, but there is much work to be done 
for us to get to the point where they have the same certification 
process that we are going through to make sure that their software 
IS in place. 

Chairman Thompson. Mr. Tenet, do you have a comment? 

Mr. Tenet. Yes. I think, Mr. Chairman, we have to be careful 
not to construct catastrophic scenarios, but the fact is, a bank that 
is unable to transact business in a country that is experiencing fi¬ 
nancial activities in 2000 and creates greater problems, there is a 
national security dimension out of that instability. The failure of 
early warning radars to work because we have not fixed the prob¬ 
lem creates an instability in and of itself 
So we are looking at all these things and we are focused on it. 
As General Minihan says, there has been an uneven appreciation 
of the application of what needs to be done across the world. It has 
not been even, and because you’re networked the way you are, just 
because you fixed the problem does not mean you are not going to 
have a problem. 

Now, the Y2K problem also has to be understood in the context 
of it is the transaction that will suffer. If people do prudent things, 
they will be able to save data. You will be able to save your bank 
account. You are not going to lose your money. The issue is, can 
you conduct a business transaction? If the computer networks have 
not been fixed to accommodate what needs to be done, that is 
where the danger lies. 

And if you extrapolate onto any of the critical industries that you 
are thinking about in this country, magnify it overseas and then 
tell me how stable a country is, tell me where they are in their po¬ 
litical process, tell me what their financial situation is and I will 
paint you a national security dilemma, depending on the country 
you are dealing with. 

General Minihan is right. We are engaging our partners at all 
levels to talk to them specifically about their Y2K problem. Sec¬ 
retary Cohen has talked to his counterpart in Russia about his 
problem to ensure that they are focused on it, and there are ongo¬ 
ing discussions, and we, in fact, I think, are driving the boat on 
this issue as hard as we can because we understand the 
connectivity issues and what the implications are. 

Chairman Thompson. Is it fair to say that we really cannot tell 
where we are going to be in that regard by January 1, 2000, even 
the extent to which we have been able to address the problem, 
much less whether a Russian, for example, has been able to ad¬ 
dress the problem? So when things happen or if unusual things 
happen, shall we say, along about that time, we will not know 
whether or not it is by design or whether or not it is a part of the 
Y2K problem? 

Mr. Tenet. I think it is fair, sir. I do not think General Minihan 
and I could p^int a picture today that provided you a high con¬ 
fidence accuracy about where we are going to be. We are following 
the problem, and obviously we have targets we are more concerned 
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about than others. We can talk about that in a classified session. 
But it is the unevenness of the application that worries me. 

Greneral Minihan. Sir, I think you need to accept some level of 
uncertainty. I always tell the boss that I see this as—Y2K is like 
the El Nino of the digital age. It is going to come through, and we 
do not necessarily know all of the patterns that are going to 
emerge. What we want to do is have an excellent sense of what is 
really important and protect and fix that, and there will be global 
addendums to that, which is what you are talking about, so it is 
not just a United States-only fix. 

Whether you wanted to talk about it in the context that you 
mentioned, nuclear early warning, or whether you want to talk 
about it in banking or whatever, we need to find those very impor¬ 
tant areas and work those. You can set those in a condition where 
you would be relatively certain that your transactions are secure 
and that' you have your data stored. Now you have a range of 
things you want to work on which may not be in the top range but 
are still critical and we want to focus on those. 

So within a range of things, we are going to have some storms 
and we want to be able to deal with the storms as they occur, so 
we have to have a nice emergency service. We have to have the 
ability to respond. We have to understand what sort of skill basis 
we need in our various institutions to do that, and again, that will 
be a global construct, not a United States construct. 

Chairman Thompson. Right. 

General Minihan. But I think it would be illusory of anybody to 
tell you we are going to get our arms around this, it will be OK, 
and we will guide through it. 

Chairman Thompson. But the other side of that coin is that we 
do not want to generalize so much in talking about the various in¬ 
conveniences and problems and so forth, and by the way, there is 
a nuclear component out there, also. 

General Minihan. Right. 

Chairman Thompson. That is a category in and of itself, and I 

assume is being prioritized- 

General Minihan. Yes, sir. That fits up there- 

Mr. Tenet. Right at the top. 

Chairman Thompson [continuing]. In terms of addressing these 
things. 

Along those same lines, in terms of the year 2000 problem, a lot 
is being written about how we are addressing that and the need 
that we are having to bring in a lot of technical people to address 
this, both in terms of industry and in terms of the military, and 
that we are getting or will be getting a lot of our help from various 
foreign countries. Other countries have been mentioned in the 
press. India, for example, apparently is going to be supplying a lot 
of those technicians. jOf course, it only takes one person, I would 
assume, among the thousands to create a real problem, if the 
wrong person were to get into the wrong place. 

What kind of potential vulnerabilities are there in terms of our 
military, and in terms of our industry, with regard to the con¬ 
centrated effort that we are going to have to have in order to get 
enough people in to solve this problem? The way it is explained to 
most of us is that the technical aspect of it is not all that com- 
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plicated, but it is a severe manpower problem. It is going to take 
a lot of people doing a lot of work to fix it. How does that make 
us vulnerable? What can we do to minimize that? 

Mr. Tenet. Well, it is a tough problem. I mean, we have a short¬ 
age of software engineers. We hav^ an abundance of foreigners who 
are willing to solve this problem for us. Y2K remediation provides 
all kinds of opportunities for someone with hostile intent to under¬ 
stand how your computer network works, how your business works, 
what your vulnerabilities are. 

So we are watching it very carefully. We are working with the 
Bureau to understand whether anybody is organizing a threat, so 
if we see that kind of an organization, we can then talk to our in¬ 
dustry about what we find and what we know. But everybody is 
in the same boat. It goes back to what your contracting procedures 
are like, who you are dealin g wi th, who they are dealing v/ith, who 
makes the code, that every major industrialized country makes this 
stuff, and that is the world we live in and everybody is in the same 
boat. Senator, and it is not an easy problem. 

Now, we have to be careful, to be very careful not to create the 
image here that every foreigner that works for you is somehow in 
the employ of a foreign intelligence service, because, quite frank¬ 
ly—or a hostile terrorist organization, because I do not have the 
evidence today to sit in front of you and say, there is a massive 
program to disrupt us. It is intuitive on the basis of the shortage 
that I just described that people have to take care and we have to 
work with the Bureau to help you understand if it exists on how 
to better protect yourself 

We are working along those lines, but this is a big problem. I 
mean, in some ways, it is a big opportunity, and it is something 
you may not know about for many years because of the stealth and 
the sleeping quality of some of the applications people can inject 
into your systems. 

So it comes back to, it always comes back to where are you on 
the defensive side. What have you done to protect? What is the sys¬ 
tem security that you have put in place, and it has to go hand in 
hand with dealing with this problem. If you isolate it, we are going 
to set ourselves up for a very large problem. 

Chairman Thompson. General, did you have something you 
wanted to add? 

General Minijian. Sir, I would only add that this, I think, will 
become a normal state of concern. It is not something that just oc¬ 
curs because of Y2K. So we, over a long period of time, are going 
to have to deal with this, and as you develop the sets of security 
services, authentication, and what have you, we want to have a 
rich enough set of variables that you cannot go through all the lay¬ 
ers we have set up and exploit us. And when we set those layers 
up, we have to hierarchically understand, as I mentioned to you, 
what our real strategic sanctuary is that needs that kind of protec¬ 
tion. But as a matter of the normal habit of concern, it is some¬ 
thing that is going to be with us in the information age. 

Chairman Thompson. So we have a challenge on the back end 
in terms of fixing the problem and then we have a challenge on the 
Tont end in terms of heading the problem off, I guess you might 
say. I take it we cannot have an early warning system that some- 
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one is going to attack our information systems in the way that we 
have a nuclear early warning system, which causes me to wonder 
whether or not we are seeing a situation where human intelligence 
is going to be even more important with regard to this kind of prob¬ 
lem than it has been in the past, both from an intelligence stand¬ 
point—early warning, and from a counterintelligence standpoint— 
what are they doing to us here. Is that a fair assessment? 

Mr. Tenet. Senator, you are absolutely right. The focus on get¬ 
ting into and determining someone’s intent is going to largely be 
a human intelligence, and a technical intelligence, problem that we 
face. 

There is another side of the equation, as well, which is when I 
talked to you about shared vulnerabilities. We have all read about 
all of the anecdotal information and examples of companies being 
attacked, banks being attacked, and the fact is, none of that infor¬ 
mation is shared. Now, I understand the proprietary interest that 
a company or a bank has in not wanting to share that information 
so that the integrity of the institution is not challenged, but some¬ 
place, in some vehicle, that information has to be shared so that 
we can understand the nature of what is going on so we can dif¬ 
ferentiate between the hacker and the more organized attack 
against your infrastructure. And there, I come back to this shared 
vulnerability and trust between business and industry and govern¬ 
ment that we simply have not solved yet. 

Chairman Thompson. Senator Lieberman. 

Senator LlEBERMAN. Thanks, Mr. Chairman. I just want to bepn 
by echoing what you said at the outset of your questioning, which 
is that the testimony of Mr. Tenet and Mr. Minihan is very sober¬ 
ing and troubling. This is not a case where you have come in and 
diminished our concerns. I do not believe you are overstating it. 
You are not encouraging us to panic. But you are telling us there 
is a real problem. In a sense, you are confirming our own intuitive 
fears about this, and in that sense, I thank you for being so direct. 

Mr. Tenet, you have described in your testimony the Eligible Re¬ 
ceiver demonstration exercise as, “an information war wake-up call 
of the highest order,” because it showed a vulnerability. So we are 
on notice and we all ought to work together to try to figure out how 
to reduce the vulnerability, understanding that we live in a world 
where risk is part of life, and in some cases, the best we can do 
is to minimize the risk and then try to defend against it. 

I want to see if I understand at this point where we think that 
the most significant threats come from. Would you say that they 
are at this stage from nation states or are they from terrorist 
groups or criminal syndicates, for instance? 

Mr. Tenet. Well, at this point. Senator, what you have is all the 
anecdotes we know about are not affiliated, to the best of our 
knowledge, with nation states or intelligence organizations. The 
hacker phenomenon, basically, what I think it is what it will create 
is a copycat mentality and people will watch. The organized struc¬ 
ture, government, services, groups, are watching to see what our 
reaction is, watching to see how we attempted to solve the problem, 
looking at the facility with which these things occurred. 

Nation states today, and the pro^ams that we talk about in our 
estimate, really are focused on military applications and military 
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doctrine and conflict. How do you bring down somebody's air de¬ 
fense system? How do you bring down traditional military kinds of 
targets? 

Senator Lieberman. Right. 

Mr. Tenet. All of that is transportable to a more sophisticated 
kind of warfare down the line. So the reason, I think, we have got 
some time and hope here is that we have time to get on top of this 
problem, to anticipate how this will naturally migrate, because for 
nations, there is enormous technical prowess and capability that is 
involved in mounting an attack against us. They are now starting 
to think about it, write about it, incorporate it in their doctrine and 
develop capability. 

Senator Lieberman. Right. 

Mr. Tenet. That has to be matched with the defensive side on 
our end so that we can be ahead of the curve. I have not seen evi¬ 
dence to match up the anecdotal evidence that you and I have 
heard about in these break-ins to a government or a program that 
is very large at this point. So we have not had that match up occur 
yet. We have seen terrorist groups express interest in this kind of 
technology, because they understand the anonymity and the facility 
with which we can do this, but we do not have evidence to suggest 
that, aside from the two instances I cite, that it has occurred yet. 
It does not mean it will not. 

Senator Lieberman. Which are the Zapatistas and the Sri 
Lankan case, right? 

Mr. Tenet. Right. The point is that your point about let us not 
get panicked is the right point. The threat is real and what people 
learn from this is quite real. So down the line, I think we are going 
to encounter more of it and it will be more organized. 

Senator Lieberman. I think part of what you are saying is that 
at this point, we have no evidence of an attempt to attack us 
through information warfare or even to test our vulnerability by a 
nation state or a terrorist group. 

Mr. Tenet. Let me make that distinction. 

Senator Lieberman. Go ahead. 

Mr. Tenet. In terms of these incidences that we know about, we 
know that that is not the case. We know, and I think we talked 
to you about in the classified session—I want to be careful—that 
there is at least one instance where we think there is an active tar¬ 
geting effort. 

Senator Lieberman. An active- 

Mr. Tenet. An active targeting effort underway of U.S. informa¬ 
tion systems. 

Senator Lieberman. Right. 

Mr. Tenet. But, you see, we have not migrated to the far end 
of the spectrum yet, so it is moving. 

Senator Lieberman. And from your testimony, it is clear that we 
do know that there are nations in the world who are developing in¬ 
formation war capacity. 

Mr. Tenet. Yes. 

Senator Lieberman. You mentioned Russia and China. Let me 
be careful about what I am saying. You quoted in your testimony 
individuals from both Russia and China who were speaking, at 
least theoretically or at least strategically, about the potential im- 
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pact of information warfare. Those are large countries. They are 
countries with which we have—it is much in the news today—with 
which we have non-hostile relations. Do we have reason to believe 
that the development of information war capacity in those two 
countries, for instance, is in some sense targeted at us, or is it just 
an exploratory- 

Mr. Tenet. Well, I think what we have described. Senator, is it 
is natural to see in someone’s military doctrine and thinking this 
kind of thinking, in terms of being aware of what the phenomenon 
will afford you someplace down the line. 

Senator LlEBERMAN. Right. I do not want to- 

Mr. Tenet. I do not want to cross lines here. 

Senator LlEBERMAN. Understood. And again, I do not want to 
tread over the lines, so you can tell me if you cannot answer this 
next question, but I wonder about some of the smaller countries 
with whom we have clearly hostile relationships, such as Iraq, 
Iran, and Libya. 

Mr. Tenet. Well, let me answer the question in this way. In all 
of those places, we see those countries enhancing their computer 
capability and their connectivity and acquiring more and more 
tools, so you have to worry about how they take these civilian ap¬ 
plications and then think through how they might apply them or 
transfer them, in the case of rogue states, to terrorist groups for 
some application against the United States. 

Senator LlEBERMAN. Right. 

General Minihan. Senator Lieberman, may I offer a thought? 
Senator Lieberman. Yes, please. General. 

General Minihan. I mentioned in my testimony, I prefer to enter 
the discussion as conflict in the information age, and I mentioned 
to you that it is the content in the network which is what we really 
worry about in terms of vulnerabilities. Information warfare in the 
context that we have been discussing is, in my view, a portion of 
that, but you also have a wide menu of other things which can 
occur in conflict in information age with regard to the information 

or the knowledge which you have, which may- 

Senator Lieberman. Give me an example of what you are think¬ 
ing of. 

General Minihan. I was smiling to myself as you were—I, too, 
talk to my kids on E-mail and they are a lot closer than I want 
them to be, but my experience is not like yours. It is not cheaper, 
it is more expensive because my daughter says, “Send me money. 
Dad.” [Laughter.] 

Senator Lieberman. So that is the content. 

General Minihan. The content is about money. She does not 
know. I do not know who is asking me for the money. I do not 
know where the money went when I send it, and I do not know if—- 
she says, just send it to You Pick It because I bought a new outfit. 

I do not know if all that has occurred until after the fact. Well, I 
am vulnerable in that economic transaction and there are people 
who would take advantage of that vulnerability. 

So conflict in the information age has a much broader sense, and 
the Director is absolutely right. 'Diere are militaries thinking their 
way through the military application, but I think at your level, we 
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are going to see it as a much more substantial issue than just in¬ 
formation. 

Senator Lieberman. That is a good point, and I appreciate your 
making the point. 

Before I get to what might be done to defend against this threat, 
I think it is important for the public that will hear about this hear¬ 
ing and our concern about this, and again, I understand that you 
can only say so much in an open hearing, to understand that we 
in the United States also have information war capacity. In other 
words, we have not decided to disarm here. We have a developed 
information warfare offensive capacity. At the level of generality 
that you wish to address it, can we assure people of the country 
that that is true? 

Mr. Tenet. Well, we are the wrong people to ask, but we can as¬ 
sure them that we are not asleep at the switch in this regard. 

Senator Lieberman. That is certainly my understanding. I mean, 
we may want to come back in a bit, and I will, about what extent 
we can use to try to protect ourselves defensively, but let me come 
to the issue now that I do not understand, which is as complicated 
as this problem is—and it is enormously complicated—I was think¬ 
ing as I was listening to your testimony about the Congressional 
focus on missile defense, theater and national missile defense, the 
difficulty there, but it is in some ways, I hate to use the word easi¬ 
er, but we have satellites that are capable of noticing a launch of 
a missile. 

But there are millions of places of origin that are not subject, as 
I understand it, to conventional satellite radar, whatever, detection 
systems. Then we have the problem, once the missile gets up, of 
how do you stop it, and as others have said, it is how do you hit 
a bullet with a bullet. 

Maybe once an information warfare attack is launched, the site 
of the origin is enormously complicated to detect. Maybe it is some¬ 
what more manageable to stop it, but that is my question. Are 
there technologies now in existence or being developed that can 
protect our transportation infrastructure, fiscal infrastructure, mili¬ 
tary infrastructure from this kind of attack, which is to say an in¬ 
formation warfare attack that intends to disrupt or confuse our sys¬ 
tems? 

General Minihan. Sir, I think you asked exactly the right ques¬ 
tion, and the analogy to missile defense is a good analogy. The in¬ 
dustrial age had us think about indications and warning attack as¬ 
sessment and defense and sequencing through that protection side 
in a physical context, and what we are talking about here is a vir¬ 
tual context. 

I was tempted to mention to the Chairman, I would not yield to 
the point that we cannot do indications and warning. I would say 
that it will be a substantially, completely different process by 
which we do indications and warning and attack assessment. So we 
will develop in cyberspace, just like we have for missile defense, an 
indications and warnings scheme which allows us to see other net¬ 
works configuring, who is using it, and be able to defend in cyber¬ 
space as opposed to report what has happened from a forensics per¬ 
spective. We will get to those technologies. 

Senator Lieberman. But we do not have it now. 
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Greneral Minihan. Well, I want to take you one more step. 
Senator Lieberman. I am sorry. Yes. 

Greneral Minihan. We are now in the early stages of developing 
those kinds of technologies. Now, this is where the Director’s point 
about the close relationship with industry is very important. The 
major industry service providers have a need for the same informa¬ 
tion, and so we have a shared vulnerability there because we are 
both riding on the same network, and we have a shared relation¬ 
ship. Neither one of us want to lose the denial of service or what¬ 
ever. And it is in that scheme where you will start to see the new 
technologies emerge as we build those relationships. 

Senator LlEBERMAN. Are we devoting sufficient resources to de¬ 
veloping those defensive technologies? For instance, is Congress 
giving you and associated agencies adequate resources to deal with 
this? 

Mr. Tenet. I think the answer is yes. I think we are getting 
what we are asking for and we are at the front end of developing 
a more robust program and there will be more resources required 
over the course of time. I mean, we are just beginning the effort. 
Senator Lieberman. Right. 

Mr. Tenet. I think we are—I would say we are sound, but I do 
not think there is any doubt we are going to need more money in 
the future to deal with this problem. 

General MlNiHAN. Sir, it is a growth area. I mean, we are going 
to invest in it, and I think you have got a nice foundation to invest 
on. My own organization is the National Security Agency, so we 
also make—and we are investing in that relationship. There are 
any number of initiatives now to share vulnerabilities with indus¬ 
try and to start to understand the threats—and to start to have 
mutual investments in understanding that complex protection. So 
I think we are going to grow into it. 

If I could use the phrase scalability with you, if I were worried 
about something, I think at the end of the day, when you are fin¬ 
ished with your third hearing, there will be a cost associated with 
scaling our protection capability out to a global context, not so 
much in the technology but in the scaling of it because it will be 
global, not geophysical. 

Senator Lieberman. Right. How about efforts to mitigate the 
damage once an attack has occurred? In other words, when we are 
dealing with weapons of mass destruction, chemical and biological, 
if we have evidence that someone is attempting to smuggle some¬ 
thing into the country or even that something has been set off, we 
have defensive systems. Are those also being worked on here once 
we have reason to believe an attack has occurred to mitigate the 
damage? 

General MINIHAN. Yes, sir. We have—I am really not the one, 
but I think you correctly bring together the notion here that we 
want to defend in cyberspace, not have the forensics of what hap¬ 
pened to us. There are any number of organizations within DoD 
now which look at those characteristics of the network, and you can 
disconnect yourself from the network just as easily as you can stay 
vulnerable. So you have some options available if you understand 
your vulnerabilities and you execute those options at a layer which 
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still allows you to do the job that you would want to do. We are 
developing those complexities. 

Senator LifiBERMAN. This is an interesting point, and maybe it 
is one to get to at another stage, but part of the problem here, part 
of the vulnerability is that we have so remarkably connected com¬ 
puter systems, to our advantage, but as we have all said, that ad¬ 
vantage creates vulnerability, and I suppose it does raise a ques¬ 
tion that we ought to consider, as to whether in some measure we 
want to separate some particularly vital systems. What do we lose 
by that and what do we gain in greater security if we do that? 

Coming back to our own offensive capability here in information 
warfare, and this is early thinking, I am sure. We were in a discus¬ 
sion, and I give credit to Senator Glenn because he raised this 
question in a discussion we had, but we ended up in the Cold War 
with the Soviets in a so-called mutual assured destruction, which 
was, in its way, a bizarre, in some sense, totally irrational system, 
but it seems to have worked, which is do not strike us because if 
you strike us, we will strike you back at least as devastatingly. 

It does seem to me that one alternative we have for a defense 
here, if you will, is the continued development of our offensive ca¬ 
pacity as a deterrent. I do not particularly invite a response, but 
if you are interested in responding, I would be happy to hear it. 

Mr. Tenet. I think we will take you up on a non-response. We 
appreciate the offer. [Laughter.] 

Senator Lieberman. The other thing I would say, and then I will 
yield back to the Chairman, I appreciate what Greneral Minihan 
said, that leaders, in some sense, our leaders in this country are 
way ahead of other leaders around the world in considering this 
problem, and it may be that we want to raise this up at a diplo¬ 
matic level to begin to discuss it. I do not know whether this is sub¬ 
ject to the kind of international diplomacy, treaty making, a kind 
of new world of arms control, conflict resolution process. 

You have given us a warning and it is a very real one and it is 
here and it is multi-polar and it is relatively cheap to get into. Be¬ 
fore long, I would fi^ess, we are going to want to see whether there 
is some sense in wriich we can develop some systems diplomatically 
and in international law to try to at least reduce the vulnerability 
here. 

I was struck, and a final word. General Minihan about your de¬ 
scription of Eli^ble Receiver because it did, I know, show some vul¬ 
nerability, but it seemed to me that you indicated that this was at 
what I might call a medium level. It was not an all out, highly so- 

F histicated attack. Is it fair to say that it was carried out with a— 
am not asking for details, but with a moderate level of personnel 
and at moderate expense, so this was not a big budget, big person¬ 
nel operation, which suggests in another way the range of the 
threat that we face here? 

General MlNiHAN. Yes, sir. I would characterize that. The team 

was less than 50. I gave them a couple of months, and- 

Chairman Thompson. But highly competent personnel, since 
some of them are in the room here today, right? [Laughter.] 

General Minihan. Are the heads going up and down behind me? 
[Laughter.] 

And they understood their business. 
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Senator LlEBERMAN. Yes. 

General Minihan. Then we obeyed the law. So, essentially, in the 
nature of our test, essentially, if I were an adversary, I would not 
have been under any of those restrictions. I would have taken my 
time. I would not have just used openly available tools. I would use 
all of the tools at my disposal. I would have had a team that would 
have been together for a much longer period of time, and when it 
was finished, I would have run a legitimate campaign. 

Senator LlEBERMAN. Right. 

General Minihan. And I would like to come back to my other 
point with you. It would have been part of a larger phenomena of 
conflict in the information age. That is the other part that Eligible 
Receiver gives you, is that while this is occurring, there are other 
things happening in the policy maker and the leader’s mind. It is 
not clear that there is an information warfare component to the El¬ 
igible Receiver exercise until you are well into it. It looks like ter¬ 
rorist operations. It looks like you are having mechanical problems 
with your infrastructure. 

Senator LlEBERMAN. Right. 

General MlNlHAN. It is not a very clear state of affairs for the 
decision makers. 

Senator Lieberman. That is such an important point. For in¬ 
stance, if somebody fires a missile at us, we have a pretty high 
probability of knowing that there is an incoming missile; not lo 
here. 

I gather that during this Cloverdale situation, where the two 
young people in California working with the person in Israel, who 
were hackers, if I recall correctly, this happened at a time when 
we were contemplating, well known to the public, some sort of mili¬ 
tary action against Iraq because of their noncompliance with the 
inspection regime, and there was some concern that the evidence 
of the hacking by the Cloverdale group might have been an initial 
foray to test our vulnerability to the Iraqis. It was some period of 
weeks before we were able to discover exactly where this was com¬ 
ing from, so that something was incoming, but it was not clear 
where it came from or what its int^intion was. As it turned out, its 
intention was non-hostile, but that is part of the complexity. 

Anyway, your testimony has been, for me, riveting, very helpful, 
and you all have a lot of work to do. Thank you. 

Chairman THOMPSON. Thank you. Senator Lieberman. 

Along the same lines, General Minihan, that you were just dis¬ 
cussing. It seems if we cannot consider an attack of this nature in 
isolation or in terms of mutually assured destruction, is it not true 
that in all probability, that any major military offensive of the fu¬ 
ture would be preceded by an attack such as this—an information 
disruption attack—^whether or not the subsequent attack was a 
land war or an air war or a nuclear attack? Would it not stand to 
reason, or is this getting into something we do not need to get into? 

General Minihan. No. I just would share with you, if you mean 
preceded in a sequencing sense, I would nod my head, but I am try¬ 
ing to say it is an inclusive part of an overall effort because our 
vulnerabilities are not necessarily exactly where we defend. So you 
are going to attack your adversaries’ vulnerabilities. They are not 
going to attack our strengths, and if our strength is someplace else. 
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they are going to make that matching, depending upon what their 
particular interests are. 

In this case, in Eligible Receiver, we used it throughout. So it 
I^eceded, it was in the middle of the exercise, and we used it at 
the end. I like to return to lessons learned because you pick up a 
lot. What is your relationship with law enforcement? How do you 
do indications and warnings? 

We kidnapped a systems administrator in this scenario. Well, a 
systems administrator for us is the code clerk of the 21st century. 
The systems administrator understands how the network that you 
are using is configured. Well, it is a lesson learned, because if we 
lost a code clerk, we would all immediately react because that 
would understand—we need to think of your systems administrator 
in an equally powerful way, so you are getting a lot of that. But 
there were any number of instances through the exercise like that. 
It was not something that could just be phased. 

Chairman Thompson. Sure. Do you have anything to add to that, 
Mr. Tenet? 

Mr. Tenet. No, sir. 

Chairman Thompson. On the ability to develop the technology of 
the future as you were talking about, I think that is something we 
naturally look for in this country. We think that if we do not have 
it, we will soon have the technolo^cal ability to deal with it. It is 
kind of ironic that many of us think that we cannot develop the 
technology to defend ourselves against a missile but we can develop 
the technology to defend ourselves against something much more 
•complex. 

We are a country that also thought a few years ago that someone 
would surely come along with some simple way to cure the year 
2000 problem and that did not happen. I think that, clearly, we 
need to do what we can in that regard, but certainly not be san¬ 
guine under the notion that we will be able to effectively do it. 

Mr. Tenet. Mr. Chairman, I feel very strongly about this and I 
am going to say it again. There is not any~ technology available to 
solve this problem unless this country gets about the business of 
building a system of trust and security for its information network. 
It is not going to work. The layered approach and the approach 
that General Minihan talked about, if you want to give us a chance 
to do the diagnostics and if you want to give us a chance to under¬ 
stand what has happened, then you have got to make it a lot 
tougher for people to break into the system. 

We have all been logjammed on this encryption debate. Nobody 
is moving in the direction that we need to because we do not have 
the trust and confidence in government and industry that is needed 
and the consequences are that our vulnerability increases every 
day. People have to get off the dime and understand that some sys¬ 
tem based on trust, a key management infrastructure that assures 
authentication and integrity and non-repudiation, starts to be built 
or we are not going to have the tool at our disposal that we need 
to minimize and isolate these attacks to understand them. We will 
not be able to deliver. 

Chairman THOMPSON. You have come back to this a time or two 
and you speak with passion on this point, so I want you to elabo¬ 
rate on this a little bit. I think the American people need to under- 
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stand this. Tell us what you perceive to be the nature of the situa¬ 
tion today between the competing interests, if you want to call 
them in competition—between industry and the private sector on 
the one hand and the government on the other. 

We are all aware of the fact that there is an encryption debate 
going on and different people have different ideas. But elaborate if 
you would on where you see the debate standing today and then 
take us to where you think we are going to have to go, because you 
clearly think that that is the key. So elaborate on that for me. 

Mr. Tenet. Well, Senator, I did not mean to be so passionate, but 

anyway-[Laughter.] 

Chairman THOMPSON. No, that is good. 

Mr. Tenet. But in any event, there is an ongoing debate between 
industry and government about what to do about encryption, and 
at the heart of it is there is a lack of trust. 

Chairman Thompson. Now, for those who are watching here, de¬ 
scribe the encr^tion situation a bit, just for the layman. 

Mr. Tenet. Go ahead. 

General Minihan. Sir, we have had a discussion, I think legiti¬ 
mately, in the past, which begins with our transition from a tech¬ 
nological perspective, from our ability to protect ourselves with 
hardware, known as Clipper Chip and things like that, black boxes, 
to what became available, which is commercial software and com¬ 
mercial products, which can also be used to protect ourselves and 
are not necessarily government produced and government owned, 
as earlier. 

As we go through that transitional period, which is normal, we 
focused on the encryption that would be a part of that product. I 
am going to use the word “product”. As a result of that focus on 

that product, encryption, what the Director is suggesting is- 

Chairman Thompson. What is encryption? 

General Minihan. Encryption is the technology which allows us 
to scramble the information so that if I sent my money to my 
daughter and you intercepted it, you would not be able to tell what 
I was doing. It was secure. 

Chairman Thompson. All right. 

General Minihan. Now, what has occurred by having that mask¬ 
ing debate, and I mean that in a positive way, what we miss is 
what we need is a discussion about a national information assur¬ 
ance strategy, just like you referred to in mutual assurance. What 
is the Nation’s strategy. Federal, State, and local, since all of those 
components are there, and encryption is one service I would like, 
security. I also want authentication, digital signature. I want as¬ 
sured connectivity. I would like to know when the transaction is 
complete. And I want to know that no one messed with this trans¬ 
action when it was being sent. 

That rich set of security services is a product line which is much 
more substantial than the encryption discussion allows you to look 
at, and what I think we want to do is broaden the debate so that 
there is a trusting relationship in building those product lines. 

The services that are merged, the services that Senator 
Lieberman and I need to talk to our family, the kinds of things 
which naturally go, and when we build that, then we start to build 
this national information assurance strategy which then lets you. 
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I think, focus on who is going to do indications and warnings, what 
is going to be the nature of the investment across it, what are the 
relationships that you would like between industry and govern¬ 
ment in the context of sharing information- 

Chairman Thompson. Which is a separate debate about the sale 
of encryption devices in and of themselves. 

General MlNiHAN. There is not. The debate of the sale in that 
sense is twofold. Americans produce a very strong encryption prod¬ 
uct and there are two components to its sale. One is we do not 
want Iran to have a product like that. A ro^e nation or somebody 
should not—technology transfer, like in nuclear—that is why I sug¬ 
gest you may want to add information technologies to weapons of 
mass destruction. We would not want rogue nations to have strong 
encryption built by the United States. 

The second part is, there is an international component which 
says that the two nations, the one building and the one receiving, 
need to agree on the kind of product they would like. So there is 

an enabling portion to it, also, which needs to be- 

Chairman Thompson. A lot of people say that in encryption, the 
genie is out of the bottle and you cannot control it anyway and if 
we do not sell it, other people will, just to lay a little groundwork. 
Mr. Tenet, I know you had some additional comments. 

Mr. Tenet. The only thing I would say is the other issue that 
is out there is should this information be recoverable in some way, 
shape, or form, for example, by the law enforcement. The Director 
of the FBI has a terrible problem on his hands. Let us assume for 
a minute—let us replay the World Trade Center. Let us assume for 
a minute that he gets a court order that allows him to access the 
communications of a terrorist group. Let us assume for a minute 
he gets access to the communications but he cannot access the con¬ 
tents of those communications because they are encrypted. The 
building blows up. Thousands of people are killed and he has no 
guaranteed access. 

The whole question of how you recover information out of the 
encryption debate is important. One man’s privacy is another, the 
Director of the FBI’s, requirement to gather information. How do 
you protect the privacy and rights of Americans and at the same 
time protect the ability of the law enforcement community to do its 
job, and that is where the issue has been joined. 

As the Director of the CIA, let me give you another example. Let 
us assume for a minute I give my employees the ability to encrypt 
their information. Let us assume, Goa forbid, something untoward 
happens, an illegal activity occurs. By virtue of encrypting their in¬ 
formation, they have also destroyed that information and I have no 
ability to recover it. 

Or in companies, people engage in conspiracy theories and activi¬ 
ties and collude to commit crime against a major corporation and 
they encrypt that conspiracy within their computer networks in 
their business and the chairman of that company has no way to re¬ 
cover that data. 

Now, I would say to you that that is not a tolerable situation for 
either the private sector or the law enforcement community, and 
we are either going to do this voluntarily, we are going to work 
through this together and try and get it done, or we are going to 
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get a major terrorist event and we are going to mandate it. Now 
we are all dancing around each other trying to figure out what the 
right way to do this is. 

Well, there is a right thing to do for the country and we have 
to work out how to recover that data, whether it is by key escrow 
or other means, but there is a train wreck ready to happen unless 
we deal with the recovery piece of this encryption debate. It sure 
is going to happen. 

Chairman THOMPSON. On that particular point, it raises the 
question concerning our potential assistance of other countries with 
regard to encryption, which brings us to supercomputers. As you 
know, there has been an ongoing discussion as to the extent to 
which we should be supplying certain so-called supercomputers to 
other countries, such as China. Some people are concerned that we 
are giving them information, we are giving them technical informa¬ 
tion, encryption information, that would be useful to them in ways 
such as you discuss. Do you have any opinion with regard to our 
policies concerning the sale or transfer of these supercomputers to 
other countries? 

General Minihan. Sir, it is certainly not mine to do from a policy 
perspective, but I would share with you two thoughts. One, remem¬ 
ber that it is the content that we are interested in, and so the 
supercomputer, to the de^ee that it enhances your ability to work 
in that environment, would be what we would want to think about, 
not just the fact of. And so you want to see, I think, those kinds 
of decisions in a policy sense that are very complex, not unlike the 
technology transier policy of the 20th century, where it looked at 
what does it contribute to, and you want to have a very complex 
discussion about it. 

Second, to get back to your genie-(/at-of-the-bottle thought, it is 
the sense that when you have these product lines which occur, that 
they have to be usable across international boundaries, and if they 
are not usable in a wide variety of contexts, then we are not going 
to be able to take advantage of them and the genie is not out of 
the bottle because we are unable to take advantage of these com¬ 
mercial products in a larger sense because we do not have the secu¬ 
rity services in which we can wrap that product line. So the real 
commercial aspects of this awaits a nice robust set of security serv¬ 
ices. 

Chairman Thompson. Senator Lieberman, did you have another 
question? 

Senator Lieberman. Just very briefly, Mr. Chairman, about the 
encryption debate. I think that the discussion that General 
Minihan and Mr. Tenet have had with you has been very helpful, 
and in one sense, it at least brings to my mind how complicated 
this all is, because we have tended to think about the encryption 
problem as one that can be a frustration to law enforcement for the 
obvious reasons that you have stated, where law enforcement has 
had access to telecommunications and it has been very important 
to breaking cases. It has been particularly important in terrorism 
cases because prior knowledge is so critical, so you have got to have 
a prevention here. 

But in the situation we are talking about here, which is informa¬ 
tion warfare and the vulnerability of the sophisticated, pervasive 
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information systems that we have in the United States, encryption 
is a form of defense. That is the question I want to ask. is not 
encryption a form of defense against information warfare attack? I 
mean, part of it is to stop some hostile nation or terrorist group 
from cracking into our system, so we want encryption at that point, 
in that sense, to protect ourselves. 

Mr. Tenet. It is. Senator, a defense when it is embedded in a 
system. When I talked to you about the management of a key in¬ 
frastructure with entities that certify your keys and you know that 
the transaction is valid and they know who you are, who you say 
you are, and they know you can send the money you sent, the au¬ 
thentication—in a system that captures all those features, which 
we are not focusing on developing because the implication is that 
in the absence of that system, encryption will not be widely used 
and we will not protect ourselves the way we need to protect our¬ 
selves. 

So it is a much bigger systemic issue that we have to tackle. So 
we are all focused on the narrow recovery issue. Meanwhile, we are 
not developing products and systems that we need to protect us as 
fully as we possibly can be protected. 

Senator Lieberman. Right. And, of course, the complication is 
that on the other side, we would not want a hostile nation, to over¬ 
use the term, to have an encryption system that we find it impos¬ 
sible to gain access to because that could protect their capacity to, 
using more traditional military terms, launch against us, 

We talk about stealth platforms, either in the air or under water. 
These encrypted information warfare systems, outside of the 
United States, are pretty much stealth platforms and in that sense, 
we would want to oe able to figure out how to break through the 
encryption. 

So I guess it is whose encryption and who has got the keys. But 
you are right, right now. What you have described today is serious, 
so serious and such a real threat—again, we are not here to panic 
people, but this is real and it is a whole new order of security 
threat. We ought to figure out how to get together and defend 
against it and set against these threats. I think the debates we are 
having about encryption and key access between the government 
and the private sector, frankly, do not seem that significant. We 
ought to figure out a way to overcome those debates and get some¬ 
thing done together, to go to your word, Mr. Tenet, build trust. 

Finally, General Minihan, I just want to assure you that my son 
has also communicated a desire for cash across the Internet, so do 
not feel that you are alone. [Laughter.) Thank you, Mr. Chairman. 

Chairman THOMPSON. Gentlemen, thank you very much for your 
testimony today. We are going to have a vote any minute now, sup¬ 
posedly. But tms has been extremely helpful. I think that you have 
helped to highlight this problem. You obviously are attending to it, 
and we will look forwara to working with you to develop solutions. 
Thank you veiy much. 

Mr. Tenet. Thank you. Senator. 

Chairman Thompson. We will adjourn. 

[Whereupon, at 11:39 a.m., the Committee was adjourned.) 
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